[ale] Error messages

Stephan Uphoff ups at tree.com
Wed Mar 17 23:24:20 EST 2004


Time to re-install from scratch.
Looks like a rpc.statd exploit.
Is this a Redhat 6.2 system or older ?
( http://www.securityfocus.com/bid/1480 )

Use a firewall !

	Stephan

Nick Travis wrote:
> I got an email from my ISP today saying that they think I have a virus on my
> network, The public IP address that they saw the traffic on is a linux
> webserver(running red hat), I checked out my /var/log/messages and this is
> what I found:
> Mar 15 04:02:00 web anacron[3212]: Updated timestamp for job `cron.daily' to
> 2004-03-15
> Mar 16 04:02:01 web anacron[3732]: Updated timestamp for job `cron.daily' to
> 2004-03-16
> Mar 16 06:09:49 web rpc.statd[362]: gethostbyname error for
> ^X???^X???^Y???^Y???^Z???^Z???^[???^[???bffff750 8049710 8052c1868746567
> 6274736f6d616e797265206520726f7220726f66
> 
>     bffff718
>          bffff719  bffff71a
> 
> bffff71b~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> Mar 16 06:51:26 web kernel: linsniffer uses obsolete (PF_INET,SOCK_PACKET)
> Mar 16 06:51:26 web kernel: eth0: Promiscuous mode enabled.
> Mar 16 06:51:26 web kernel: device eth0 entered promiscuous mode
> Mar 16 09:37:37 web kernel: neighbour table overflow
> Mar 16 09:37:37 web last message repeated 9 times
> Mar 16 09:38:37 web kernel: NET: 253 messages suppressed.
> Mar 16 09:38:37 web kernel: neighbour table overflow
> Mar 16 09:38:39 web last message repeated 9 times
> Mar 16 09:38:45 web kernel: NET: 220 messages suppressed.
> Mar 16 09:38:45 web kernel: neighbour table overflow
> Mar 16 09:38:47 web kernel: NET: 962 messages suppressed.
> Mar 16 09:38:47 web kernel: neighbour table overflow
> Mar 16 09:38:52 web kernel: NET: 3353 messages suppressed.
> Mar 16 09:38:52 web kernel: neighbour table overflow
> Mar 16 09:38:57 web kernel: NET: 3638 messages suppressed.
> Mar 16 09:38:57 web kernel: neighbour table overflow
> Mar 16 09:39:02 web kernel: NET: 3482 messages suppressed.
> Mar 16 09:39:02 web kernel: neighbour table overflow
> Mar 16 09:39:07 web kernel: NET: 3524 messages suppressed.
> Mar 16 09:39:07 web kernel: neighbour table overflow
> Mar 16 09:39:12 web kernel: NET: 3526 messages suppressed.
> Mar 16 09:39:12 web kernel: neighbour table overflow
> Mar 16 09:39:17 web kernel: NET: 3525 messages suppressed.
> 
> I continued getting these messages every 5 seconds until 3:30pm on the 16th
> and it suddenly stopped.  Has anyone seen this before?  According to the log
> file the last time someone logged in was the 14th, which was me, and I'm the
> only one with access to the system.  My ISP gave me the following log:
> 
> Time Zone: UTC
> 
> Event Date Time, Destination IP, IP Protocol, Target Port, Issue
> Description, Source Port, Event Count
> 
> EventRecord: 16 Mar 2004 20:01:47, 10.1.x.x, 6, 111, RPC Exploits, 3990, 1
> 
> EventRecord: 16 Mar 2004 19:59:28, 69.162.x.x, 6, 111, RPC Exploits, 4699, 1
> 
> EventRecord: 16 Mar 2004 19:57:50, 69.162.x.x, 6, 111, RPC Exploits, 4766, 1
> 
> EventRecord: 16 Mar 2004 19:26:16, 69.140.x.x, 6, 111, RPC Exploits, 4730, 1
> 
> EventRecord: 16 Mar 2004 18:05:04, 69.81.x.x, 6, 111, RPC Exploits, 3428, 1
> 
> EventRecord: 16 Mar 2004 16:53:43, 69.40.x.x, 6, 111, RPC Exploits, 3267, 1
> 
> EventRecord: 16 Mar 2004 15:19:00, 69.22.x.x, 6, 111, RPC Exploits, 3433, 1
> 
> Any thoughts would be greatly appriciated.
> 
> 
> 
> Nick




More information about the Ale mailing list